Bug 862937
Summary: | Memory leak in perl-libwhisker2 resp. Net::SSLeay | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michal Ambroz <rebus> | ||||||
Component: | perl-libwhisker2 | Assignee: | Petr Pisar <ppisar> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 18 | CC: | huzaifas, paul, polpot78, ppisar, rebus | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-02-05 12:26:29 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 862577 | ||||||||
Attachments: |
|
Current code prefers Net::SSLeay. Changing the preference is not wise for stable Fedora. I can add code selecting implementation, but not to change the default preference (though this could be done in F19). What's purpose of "auto" argument for init_ssl_engine()? The only difference between "auto" and unknown value is that the latter unsets SSL engine if no SSL engine can be found. I'm tempting to remove the "auto" completely. Hi Petre, I would guess that it is there just for consistency (I mean to have some argument).The init_ssl_engine("auto") is called by default in module initialization. I believe you can remove the "auto" value and call init_ssl_engine() instead. The current "auto" tries Net::SSL first and then Net::SSLeay, which is quite opposit to what is in pristine 2.5 libwhisker. If you do not want to change the behaviour within one release of Fedora it should be turned around. For nikto - just the posibility to choose the Net::SSL engine explicitly would be great, no matter what is the defaults. For slow servers the memory leak in Net::SSLeay is really pretty annoying. Best regards Michal Ambroz Created attachment 621841 [details]
https_client_whisker.pl
Attaching testing code for client using libwhisker for HTTPS connection.
As a server you can use simply apache ( yum -y install httpd mod_ssl ; service httpd restart ).
After 2000 requests the process using Net::SSLeay grows as much as 1.5GB.
Comparing to cca 15-30MB with Net:SSL I do not think there is any reason to use Net::SSLeay until it is fixed.
Michal Ambroz
Memory leak still problem for the Fedora 18. But the issue is probably not so big - the testscript https_client_whisker.pl seems to be running quite ok on F18 so I guess it might be nikto this time leaking somewhere else. This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The patch does not apply to sources as the patch is against generated code. I tried to patch the sources, but due the way how the sources are built it's wery hard to do that cleanly (BEGIN sections). Frankly, I don't have time to implement it. Please go to upstream. Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |
Created attachment 621208 [details] libwhisker-init-ssl-engine.patch Description of problem: libwhisker2 resp. Net::SSLeay seems to demonstrate memory leak. When nikto2 is using libwhisker together with Net::SSL everything seems to be fine, but when it is used together with Net::SSLeay, program depleats all system memory. Version-Release number of selected component (if applicable): How reproducible: 90% (relies on the response speed of the server, delay in response = problem) Steps to Reproduce: 1. Install libwhisker2 and Net::SSLeay and Net::SSL yum -y install perl-libwhisker2 perl-Net-SSLeay perl-Crypt-SSLeay 2. run nikto from the nikto2 package against some HTTPS host with slow reply: nikto host-to-scan.example.com -ssl -port 443 Actual results: By default the Net::SSLeay will be used and will leak all available memory in a short while Expected results: It should not leak the memory. If Net::SSL is used instead (for example if Net::SSLeay package is removed) no memory leak is visible and nikto process keeps steadily on something like 30MB. Additional info: Tested with: nikto-2.1.5 (and modified libwhisker) nikto-2.1.5-3.fc17 (nikto patched to use system wide libwhisker2) perl-libwhisker2-2.5-5.fc17.noarch perl-Net-SSLeay-1.48-1.fc17.x86_64 perl-Crypt-SSLeay-0.58-8.fc17.x86_64 Please could you consider adding a patch from nikto2 to libwhisker with possibility to initialize suitabe SSL engine or at least prioritize Net::SSL over Net::SSLeay. Michal Ambroz